Lenovo Rocked By Critical BIOS Vulnerability, Fingers Point To Shoddy Intel Reference Code

by Brandon Hill — Monday, July 04, 2016, 06:41 PM EDT

Lenovo is finding itself embroiled in yet another security scandal, and this time it revolves around the BIOS used in many of its PC systems. According to security researcher Dmytro Oleksiuk (aka Cr4sh), the vulnerability lies in the SystemSmmRuntimeRt UEFI driver component of Lenovo’s firmware. Oleksiuk claims that the exploit is present in every ThinkPad machine dating back as far as the X220 and as recently as the T450s.

The vulnerability can allow a malicious party to run System Management Mode code on a machine, granting the ability to not only disable flash write protection, but also Secure Boot. It’s also possible to bypass the Virtual Secure Mode (VSM) that is used by Windows 10 Enterprise.

So how exactly did this exploit pass under Lenovo’s nose without it sniffing out something funky? Well, Lenovo claims that one of its Independent BIOS Vendors (IBVs) developed the BIOS installed on its ThinkPad machines, and that the IBV simply copy/pasted reference code straight from Intel (which is common practice). However, the vulnerability was not detected until Oleksiuk started snooping around.

Lenovo is understandably a bit peeved about the disclosure of this gaping hole in its security, writing, “Shortly after the researcher stated over social media that he would disclose a BIOS-level vulnerability in Lenovo products, Lenovo PSIRT made several unsuccessful attempts to collaborate with the researcher in advance of his publication of this information.”

Lenovo also tries to duck responsibility, instead shifting partial blame to both the IBV and Intel, which provided the original code that was copied:

The package of code with the SMM vulnerability was developed on top of a common code base provided to the IBV by Intel. Importantly, because Lenovo did not develop the vulnerable SMM code and is still in the process of determining the identity of the original author, it does not know its originally intended purpose. But, as part of the ongoing investigation, Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability's presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code.

Since this code originated from Intel and was implemented by likely more than one IBV, it’s highly likely that Lenovo isn’t the only OEM that’s susceptible to this particular attack vector. Lenovo is simply an easy target since it’s been caught with its hands in the cookie jar before, but we could possibly see more wide-scale fallout from this disclosure in the coming weeks and months. As you can see in this tweet below, at least one HP machine (2010 vintage) is affected.

@d_olex Yep, found SmmRuntimeManagementCallback() function in HP dv7 4087cl (from ~2010, HM55) with Insyde EFI pic.twitter.com/M5jrsrAO8d
— Alex James (@al3xtjames) July 2, 2016

Tags: Intel, Lenovo, BIOS, UEFI

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now